b'National Aeronautics and Space Administration\nOffice of Inspector General\nWashington, DC 20546-0001\n\n\n\n\n                                              January 29, 2014\n\n\nThe Honorable Barbara A. Mikulski\nChairwoman\nSubcommittee on Commerce, Justice,\n Science, and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, DC 20510\n\nThe Honorable Richard C. Shelby\nRanking Member\nSubcommittee on Commerce, Justice,\n Science and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, DC 20510\n\n\nDear Madam Chairwoman and Senator Shelby:\n\nThe National Aeronautics and Space Administration Authorization Act of 2000 directs the\nNASA Inspector General to conduct an annual audit to assess the extent to which NASA is\ncomplying with Federal export control laws and the Act\xe2\x80\x99s requirement that NASA report to\nCongress any cooperative agreements between the Agency and China or any Chinese company.1\n\nThe NASA Office of Inspector General (OIG) last reported to you regarding these issues in\nJanuary 2013. Since that date, NASA has not entered into any cooperative agreements with\nChina or any Chinese company. During the past year, the OIG conducted four audits\nexamining the Agency\xe2\x80\x99s controls for its information technology (IT) assets and security\nsystems, many of which contain data subject to export control laws. In addition, during this\nperiod we completed a special review examining a Chinese national\xe2\x80\x99s access to NASA\xe2\x80\x99s\nLangley Research Center and our Office of Investigations closed two investigations related\nto the security of NASA\xe2\x80\x99s IT assets or concerns about Chinese-manufactured parts. We\nsummarize this work below.\n\n\n\n\n1\n    Public Law 106-391, codified at 51 U.S.C. \xc2\xa7 30701(a)(3).\n\x0c                                                                                              2\n\n\nAudit Reports\nNASA\xe2\x80\x99s Information Technology Governance (IG-13-015, June 5, 2013)\n\nIT governance is a process for designing, procuring, and protecting IT resources. For this\nreason, effective IT governance must balance compliance, cost, risk, security, and mission\nsuccess to meet the needs of internal and external stakeholders. In this audit, we examined\nwhether NASA\xe2\x80\x99s IT governance structure appropriately aligns authority and responsibility\nto support the Agency\xe2\x80\x99s overall mission.\n\nWe found that the decentralized nature of NASA\xe2\x80\x99s operations and its longstanding culture of\nautonomy hinder the Agency\xe2\x80\x99s ability to implement effective IT governance. NASA\xe2\x80\x99s Chief\nInformation Officer (CIO) has limited visibility and control over a majority of the Agency\xe2\x80\x99s\nIT investments, operates in an organizational structure that marginalizes the authority of the\nposition, and cannot enforce security measures across NASA\xe2\x80\x99s computer networks.\nSpecifically, although the CIO is responsible for developing IT security policies and\nprocedures and implementing an Agency-wide IT security program, because the position\nlacks authority and control over the majority NASA\xe2\x80\x99s networks, the CIO is unable to\nenforce the implementation of IT security programs across all NASA IT assets.\n\nNASA\xe2\x80\x99s ability to secure its networks is further complicated because the Agency lacks a\ncomplete inventory of IT assets. For example, five Center CIOs told us they could not\naccount for 100 percent of the IT systems and hardware at their Centers. To overcome the\nbarriers that have resulted in inefficient and ineffective management of the Agency\xe2\x80\x99s IT\nassets and IT security, we made eight recommendations to the CIO. The CIO generally\nconcurred with our recommendations and proposed appropriate corrective actions.\n\nTo view the full report, visit http://oig.nasa.gov/audits/reports/FY13/IG-13-015.pdf.\n\nNASA\xe2\x80\x99s Progress in Adopting Cloud-Computing Technologies (IG-13-021,\nJuly 29, 2013)\n\nThe adoption of cloud-computing technologies has the potential to improve IT service\ndelivery and reduce the costs associated with managing NASA\xe2\x80\x99s diverse IT portfolio.\nSpecifically, cloud computing offers the potential for significant cost savings through faster\ndeployment of computing resources, a decreased need to buy hardware or build data centers,\nand enhanced collaboration capabilities. NASA was a pioneer in cloud computing having\nestablished its own private cloud computing data center called Nebula in 2009 at the Ames\nResearch Center. In 2012, NASA shut down Nebula based on the results of a 5-month test\nthat benchmarked Nebula\xe2\x80\x99s capabilities against those of Amazon and Microsoft. The test\nfound that public clouds were more reliable and cost effective and offered much greater\ncomputing capacity and better IT support than Nebula.\n\nIn our audit, we examined whether NASA evaluated the security of and risks in moving\nAgency data and services to the cloud. We found that weaknesses in NASA\xe2\x80\x99s IT\ngovernance and risk management practices have impeded the Agency from fully realizing\nthe benefits of cloud computing and potentially put NASA systems and data stored in the\n\x0c                                                                                            3\n\n\ncloud at risk. For example, several NASA Centers moved Agency systems and data into\npublic clouds without the knowledge or consent of the CIO. Moreover, on five occasions\nNASA acquired cloud-computing services using contracts that failed to fully address the\nbusiness and IT security risks unique to the cloud environment. Finally, NASA moved a\nsystem to a public cloud and it operated for 2 years without authorization, a security or\ncontingency plan, or a test of the system\xe2\x80\x99s security controls.\n\nWe made eight recommendations to the CIO to help strengthen NASA\xe2\x80\x99s cloud computing\npractices, mitigate business and IT security risks, and improve contractor oversight. The\nCIO concurred with our recommendations and proposed appropriate corrective actions.\n\nTo view the full report, visit http://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf.\n\n\nNASA\xe2\x80\x99s Process for Acquiring Information Technology Security Assessment and\nMonitoring Tools (IG-13-006, March 18, 2013)\n\nNASA spends more than $1.5 billion annually on IT assets, including approximately 550\ninformation systems the Agency uses to control spacecraft, collect and process scientific\ndata, provide security for its IT infrastructure, and enable personnel to collaborate with\ncolleagues around the world. However, the Agency\xe2\x80\x99s use of advanced technology coupled\nwith the large size of its networks makes NASA an attractive target to cyber-attacks. To\nthwart such attacks, NASA must ensure that its IT systems and their associated components\nare regularly safeguarded, assessed, and monitored. The Agency\xe2\x80\x99s CIO spends at least $58\nmillion annually on IT security, a portion of which is used to acquire and manage security\nassessment and monitoring tools. In this audit, we examined NASA\xe2\x80\x99s policies and\nprocedures related to its acquisition of IT security assessment and monitoring tools.\n\nWe found that the Agency has not fully implemented a process for identifying its IT security\nassets. Because NASA does not have a process that captures, consolidates, and assesses IT\nsecurity tool requirements across the Agency, centralized purchases of tools do not regularly\noccur. This inability to consolidate requirements and centralize purchases limits NASA\xe2\x80\x99s\nefforts to reduce cost and improve program efficiencies on critical IT investments. To\nimprove NASA\xe2\x80\x99s process for acquiring Agency-wide IT security assessment and monitoring\ntools, we made four recommendations to NASA\xe2\x80\x99s CIO. The CIO concurred with our\nrecommendations and proposed appropriate corrective actions.\n\nTo view the full report, visit http://oig.nasa.gov/audits/reports/FY13/IG-13-006.pdf.\n\nFederal Information Security Management Act: Fiscal Year 2013 Evaluation\n(IG-14-004, November 20, 2013)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the OIG\xe2\x80\x99s independent assessment of NASA\xe2\x80\x99s IT security posture.\nFor fiscal year 2013, the OIG reviewed a sample of eight Agency IT systems and two\ncontractor IT systems. We also reviewed NASA\xe2\x80\x99s progress in implementing prior OIG\nrecommendations.\n\x0c                                                                                              4\n\n\nOverall, we found that NASA has established a program to address the challenges in each of\nthe 11 areas designated by the Office of Management and Budget for review: continuous\nmonitoring management, configuration management, identity and access management,\nincident response and reporting, risk management, security training, plan of action and\nmilestones, remote access management, contingency planning, contractor systems, and\nsecurity capital planning. However, we also found that the Agency needs to enhance its\nefforts with regard to configuration management, risk management, and contractor systems.\n\nTo view a summary of this report, visit http://oig.nasa.gov/audits/reports/FY14/IG-14-\n004.pdf.\n\n\nSpecial Review\nBo Jiang\xe2\x80\x99s Access to NASA\xe2\x80\x99s Langley Research Center (October 22, 2013)\n\nIn March 2013, a member of Congress publicly questioned whether NASA had\ninappropriately afforded Bo Jiang, a Chinese national working as a NASA contractor, access\nto the Langley Research Center (Langley) and to Agency data and IT. The Congressman\xe2\x80\x99s\nconcerns were prompted at least in part by internal NASA documents suggesting it had been\nimproper for Langley to hire Jiang as a contractor, allow him unescorted access to the\nCenter, and provide him with data related to his research. On March 16, 2013, after being\nterminated from his position, Jiang was in the process of returning to China when agents\nfrom the Department of Homeland Security searched him at Dulles International Airport as\npart of an investigation of potential export control violations. After questioning him about\nthe electronic media he had in his possession, agents took Jiang into custody and charged\nhim with making a false statement to Federal authorities because a search of his belongings\nrevealed media he had not declared. Subsequent to Jiang\xe2\x80\x99s guilty plea to a misdemeanor\nsecurity offense, the OIG opened an administrative investigation to examine the process by\nwhich Jiang came to work at Langley and the information and IT resources to which he was\ngiven access.\n\nIn 2002, Langley and the National Institute of Aerospace (NIA), a nonprofit research and\ngraduate education organization located in Hampton, Virginia, entered into a cooperative\nagreement pursuant to which Langley frequently hired NIA personnel as contractors to work\non NASA research projects. Jiang originally came to the United States in 2007 as a Ph.D.\nstudent at Old Dominion University in Norfolk, Virginia, before becoming a postdoctoral\nresearch assistant for the NIA. Jiang began working at Langley in January 2011.\n\nIn November 2011 and again in November 2012, Jiang visited family in China taking with\nhim a NASA-provided laptop computer. It was during the second visit that an export\ncontrol professional at Langley learned that Jiang had taken the laptop to China and raised\nconcerns with attorneys at Langley and personnel in the Headquarters\xe2\x80\x99 Export Control\nOffice about Jiang\xe2\x80\x99s travel and access to NASA information without prior review by export\ncontrol officials. The Langley export control official also claimed that Jiang\xe2\x80\x99s work as a\npaid NASA contractor violated funding restrictions in NASA\xe2\x80\x99s appropriations legislation.\nJiang returned to the United States in December 2012 and Center computer security\n\x0c                                                                                             5\n\n\npersonnel examined his NASA-provided laptop to determine whether it contained export-\ncontrolled information. In January 2013, NIA terminated Jiang\xe2\x80\x99s employment for violating\nNIA policy by taking the laptop to China and because NASA had ended the agreement\nunder which Jiang had been hired.\n\nWe found that NASA did not violate appropriations restrictions by hiring Jiang as a paid\ncontractor through the NIA cooperative agreement. Moreover, while Langley\xe2\x80\x99s process for\nrequesting access for foreign nationals was structured pursuant to NASA regulations, we\nfound the process overly complex, required input from numerous Center and Headquarters\nemployees, and not sufficiently integrated to ensure that responsible personnel had access to\nall relevant information. In addition, we determined that several employees who had roles\nin the screening process made errors that contributed to the confusion about the proper scope\nof Jiang\xe2\x80\x99s access to Langley facilities and IT resources and the appropriateness of Jiang\ntaking his NASA-provided laptop to China.\n\nIn the wake of the Jiang incident and at the request of the NASA Administrator, Langley\nmanagement has taken a number of steps to strengthen its foreign national access process,\nincluding increased education and training for Langley employees, revising the form used to\nrequest access for foreign nationals, ensuring the Center CIO\xe2\x80\x99s Office is involved in the\nforeign visitor request process, and contracting with the National Academy of Public\nAdministration to assess the effectiveness of NASA\xe2\x80\x99s Agency-wide foreign national access\nprogram. We made six recommendations in our review to improve NASA\xe2\x80\x99s foreign visitor\napproval process. The NASA Administrator concurred with our recommendations and\nproposed appropriate corrective actions.\n\nTo view the full report, visit http://oig.nasa.gov/Special-\nReview/OIG_Investigative_Summary.pdf.\n\n\nInvestigations\nRomanian National Arrested and Indicted\n\nOn January 17, 2013, a Romanian national was indicted in U.S. District Court for the\nSouthern District of New York on multiple counts of criminal conspiracy. The Romanian\nnational allegedly ran a \xe2\x80\x9cbulletproof hosting\xe2\x80\x9d service that enabled cybercriminals to\ndistribute malicious software and conduct sophisticated cybercrimes. Malware distributed\nby this hosting service has infected over one million computers worldwide, including\ncomputers belonging to NASA, causing tens of millions of dollars in losses to individuals,\nbusinesses, and government entities. The OIG is working jointly with the FBI on this\ninvestigation.\n\x0c                                                                                              6\n\n\nCivil Settlement with Government Contractor\n\nIn February 2013, World Wide Technology, Inc., agreed to pay $735,000 to settle\nallegations that it violated the Trade Agreements Act, which requires that goods provided to\nthe Federal Government be manufactured in designated countries. The investigation began\nafter the company self-disclosed that it may have incorrectly certified that products sold to\nNASA and the Department of Defense were in compliance with the Act. A joint\ninvestigation by OIG and the Department of Defense confirmed that the company had\nimproperly filled 174 orders, including 29 NASA orders worth $255,000, using Chinese-\nmanufactured products.\n\nIf you or your staff would like to meet with us to discuss any of the reports or investigations\ndiscussed in this letter, please contact me or Renee Juhans, OIG Executive Officer, at\n202-358-1220.\n\nSincerely,\n\n\n\n\nPaul K. Martin\nInspector General\n\n\n\ncc:   Charles F. Bolden, Jr.\n      NASA Administrator\n\n      David Radzanowski\n      Chief of Staff\n\n      Larry Sweet\n      Chief Information Officer\n\n      Michael F. O\xe2\x80\x99Brien\n      Associate Administrator, International and Interagency Relations\n\n      Richard Keegan\n      Associate Administrator, Mission Support Directorate\n\n      Michael Wholley\n      General Counsel\n\x0c                                                                              7\n\n\n\nIdentical letter to:\n\nThe Honorable John D. Rockefeller, IV   The Honorable Frank Wolf\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable John Thune                The Honorable Chaka Fattah\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Bill Nelson               The Honorable Darrell Issa\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Ted Cruz                  The Honorable Elijah Cummings\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Thomas R. Carper          The Honorable John Mica\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Tom Coburn                The Honorable Gerry Connolly\nUnited States Senate                    U.S. House of Representatives\n\n                                        The Honorable Lamar Smith\n                                        U.S. House of Representatives\n\n                                        The Honorable Eddie Bernice Johnson\n                                        U.S. House of Representatives\n\n                                        The Honorable Paul Broun\n                                        U.S. House of Representatives\n\n                                        The Honorable Dan Maffei\n                                        U.S. House of Representatives\n\n                                        The Honorable Steven Palazzo\n                                        U.S. House of Representatives\n\n                                        The Honorable Donna F. Edwards\n                                        U.S. House of Representatives\n\x0c'